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Purpose of This Guide: What Are Open Source 
eje es P) 

Security practitioners will be given insight Vulnerabilities? 

into the value of identifying and tracking the 

risks introduced by the use of open source 

components across their software development 


Introduced through open source components 
that contain weaknesses in the code, open 


life cycle (SDLC). Aside from providing a better source vulnerabilities are capabilities that can be 
understanding of this growing threat landscape, exploited by an attacker—introduced accidentally 
this guide will outline the importance of as a bug or added intentionally in specially 
protecting business processes and corporate crafted malicious packages. In addition, open 
assets. Methods to mitigate vulnerabilities source software can unexpectedly cause license 


Wopen spure components; used by the risks for the organization as these components 

organization s custom-built applications, will allow developers and users to view, modify, and 

also be explored. Use this guide to learn more distribute the software to anyone for any purpose 

about Trend Micro Cloud One” — Open Source , oe Ae 4 ; La ie 
This practice is common due to the majority 


of open source software being worked on and 
The Rise of Open Source distributed in a collaborative public process. 


Security by Snyk and how to get started. 


As the demand for web, mobile, and cloud- 
native applications increases across business 
and consumer requirements, so has the use 

of open source software. Well-designed open y W 
source libraries help speed up development 
cycles for commercial software by providing 
components that reduce the need to build 


“Open source software 
entire applications from the bottom up. Open is used within mission- 


source libraries provide a significant advantage 


due to public availability, ease-of-use, and critical IT workloads 
decentralization abilities for modern software by over 95% of the IT 
development. . . . 
organizations worldwide, 
Yet, as with any software, there are potential whether they are aware 


security risks. Vulnerabilities can sometimes go j 
unchecked because organizations are unaware or not 
that they are using a vulnerable open source 
component in their application. While the - Gartner Market Guide for Software 
open source community can identify potential Composition Analysis * 

exploits and report them to be fixed, bad 
actors can also scour code or take advantage of 
publicly available vulnerability listings that can 
affect millions of projects. 





1 Gartner Market Guide for Software Composition Analysis, 18 August 2020- ID G00721255 
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What Should CISOs Consider? 


Organizations are increasingly more aware of the impact open source risks can have on upstream 
processes and their overall security posture. However, maintaining necessary visibility across multiple 
development teams, regions, and projects has proved to be a daunting task. 


ClSOs need to consider that building applications on open source libraries requires pulling in a great 
number of dependencies, which can increase risks organizations face from both security and a license 
compliance standpoints. 


“75% of codebases audited by security vendors had 
security vulnerabilities or license risks.” 






- Snyk State of Open Source Security Report? 


Cloud computing uses source components that often create blind spots for security operations 
teams. Unfortunately, some security practices and tools do not provide visibility or robust Software 
Composition Analysis (SCA) into the security risks present in open source library dependency. Security 
teams, as well as business and legal teams, can be overwhelmed with developer-focused detail that 
lacks the language needed to identify and monitor security and license risks. 


Deployed applications bundle your proprietary 
code and selected open source code along with 


your dependencies. Keeping track of all libraries 
and dependencies requires time despite being “78% of vulnerabilities 
an important critical task. Many traditional noa i 

l cone are found in indirect 
tools are not able to dig deeper into indirect or eas al 
transitive dependencies and lack well-architected dependencies 
dependency trees to help SecOps define risks. 


- Snyk State of Open Source 
Security Report? 





2 Snyk State of Open Source Security Report, April 2020 
3 Snyk State of Open Source Security Report, April 2020 
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What Should Security Practitioners Consider? 


Traditional code-base vulnerability detection 
solutions keep security teams siloed and 

don’t allow SecOps to go from zero visibility 

to completely informed. Development teams 
have always had the ability to measure success 
through tools specific to their needs while 
security teams have been left out of the code 
vulnerability discussion within the SDLC. 


Many organizations rely on Static Application 
Security Testing (SAST), or Dynamic Application 
Security Testing (DAST). These tools are critical 
when it comes to scanning for vulnerabilities 

in ‘closed source’ or proprietary code, however 
proprietary code in custom applications only 
make up a fraction of the code base itself and 
does not address open source components. 


While proprietary code can be equally 
vulnerable—as demonstrated by the 2020 
SolarWinds hack—it requires more effort 

and collaboration to find a vulnerability 

and is specific to a given application. Open 
source code vulnerabilities can be more easily 
exploited by the masses due to the fact that 
this code is publicized, available to test, and 
security databases list known-risks that may 

or may not have a patch. In addition, a single 
exploit of an open source vulnerability can be 
used to attack many organizations. Software 
composition analysis is agile across open source 
libraries as opposed to a specific code language 
or function. 


When security tools don’t easily integrate 
into developer workflows and CI/CD 
pipelines, it often results in a long list of 
nonactionable false-positives that hinder 
development. As security workflows and 
input shift further left, security teams and 
CISOs have less insight into the development 
pipeline, and protection accuracy and 
security depth can suffer. 


While you have likely heard of DevSecOps 
methodologies and tools that attempt 

to close these gaps, many have created 
misalignment across toolsets and 
communication rifts between security 

and DevOps teams. As workflows shift 

left and DevOps teams gain momentum 
earlier in development, security operations 
teams still own risk management for their 
organizations. 


When security operations teams are able 
to successfully identify risks in open source 
code independently and manage up the 
open source security posture to the CISO, 
it’s easier to collaborate with developers 
without impeding their workflows and 


efficiencies. This also makes it easier to A É 


the open source detection over time and 


over its remediation progress. O 
O P O 


gauge and forecast risk based on IA 
n 


A 
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Open Source Risk Examples 


Apache Struts is a free open source framework for creating Java web applications, widely used 
by Fortune 100 companies. Apache Struts2 exploit used against Equifax (CVE-2017-5638) was a 
result of Struts’ parser, called Jakarta (responsible for the mismanagement of files uploaded to 
the web server) which allowed hackers to remotely run code. 


A high severity prototype pollution security vulnerability (CVE-2019-10744) affected all versions 
of the popular “npm Lodash” library. The vulnerability could be exploited by an attacker to inject 
properties on “Object.prototype” to disclose or modify data or cause denial-of-service attacks. 
It was used by 4.35 million projects on GitHub alone. The project had just shy of 40k GitHub 
project stars, and the library had been downloaded over 80 million times each month. 





© Malicious Package In 2019, the popular npm ibrary Lodash 
150 was used by 4.35 million projects on 
GitHub alone. The project had just shy of 
40k GitHub project stars, and the library 
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Figure 1 





Vulnerabilities Reported vs. Projects Impacted.* 


An older example of an open source vulnerability is Heartbleed. Hundreds of millions of websites 
were affected in the popular OpenSSL cryptographic software library. This weakness allows bad 
actors to steal the information protected by the SSL/TLS encryption used to secure the internet 
(CVE-2014-0160). 


Commercial software composition analysis (SCA solutions) goes beyond CVEs and curate 
their own databases with additional vulnerabilities and richer data, finding issues earlier, more 
accurately, while helping to fix them better. When using an SCA solution, check that its DB also 
tracks non-CVE vulnerabilities for maximum coverage.” 


Some websites may depend on dozens or even hundreds of such libraries, which could be 
scattered across dozens of servers on multiple continents. Understanding that landscape quickly 
and holistically is critical to the security teams and business management. Having a keen sense 
of what is happening across all development teams is not easy, but it is possible and it can make 
a difference between being proactive and reactive to open source risks. 





4Snyk State of Open Source Security Report, April 2020 
5 Securing Open Source Libraries, O’Reilly 








Page 6 of 16 * Trend Micro Cloud One™ - Open Source Security by Snyk >>> Back to TOP 


The Solution 


As the IT landscape shifts more toward cloud-native application development, organizations need 
ongoing security visibility and tracking of open source vulnerabilities and license risk. 


Development teams move fast, making it hard for SecOps to keep up. It becomes even more 
difficult when security teams are stretched thin and must oversee all business unit threats—those 
beyond the dozens of application development projects and code repositories. Security teams have 
worked hard to secure the stack by integrating both internal and external services protection. With 
the use of more open source components and the growth of DevOps, the security landscape has 
expanded, as has the attack surface. 


It is critical to implement open source vulnerability detection into the security stack. This helps 
tighten security protocols and best practices further left in the software development life cycle. 
With SecOps having little influence at the code level, these teams can now have the visibility and 
awareness needed to make informed decisions and to track open source risks. This creates a better 
alliance and bridges the gap between SecOps and DevOps. Expert advice is given to security teams 
to help monitor and track risks throughout the software supply chain, providing protection and 
awareness early without being overlooked or neglected. 


Organizations require solutions that can enable cohesion between development and security. This 
allows teams to efficiently manage and mitigate the risk introduced from the rapid pace of open 
source application development. To scale at a rapid pace, solutions must support development and 
security team alignment and close the communication and tool gap between one another. 


Software Composition Analysis (SCA) is a solution built to help security teams surface 
vulnerabilities and license issues early in the development cycle. This enables security operations 
professionals to understand the known risk in their development projects and prioritize critical 
issues to fix. 


Continuous insight and remediation into open source vulnerabilities and license issues in code 
unites developer and security operations teams. 
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Introducing Trend Micro Cloud One — 
Open Source Security by Snyk 





The first-ever purpose-built service for security operations teams, Trend Micro Cloud One — Open Source 
Security by Snyk automatically finds, prioritizes, and reports vulnerabilities and license risks in open 
source dependencies used by your applications. As part of the Trend Micro Cloud One” security platform, 
this solution connects with your code repositories and CI/CD pipelines to scan projects. Security teams 
are empowered with better visibility, tracking, and early awareness into open source issues. 





Trend Micro Cloud One — Open Source Security by Snyk provides ongoing security insight to help 
organizations identify, manage, and resolve open source risks. 
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Without visibility into open source code risks, the task of remediating vulnerabilities is an 
upstream process for security teams. At times, security teams can’t move fast enough to keep 
pace with application development and require a systematic view into risks that can impact 
the business as well as its customers and partners. Trend Micro Cloud One — Open Source 
Security by Snyk delivers visibility into the overall state of the security compliance posture in 
one location, so SecOps can benefit from consolidated guidance and risk mitigation. 
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Understanding How Trend Micro Can Help Reduce Open Source Risks 


See all direct and indirect dependency paths to identify vulnerabilities in the open source code 
being used by your organization and receive clear details from the Knowledge Base on how to 
fix them. 











Gain visibility 


Scan projects in code repositories to gain 
visibility into open source dependency suesover tme posure window 
vulnerabilities. Monitor trends across your | 








entire organization’s open source landscape i 
through dashboards and reports. - - L 


942 18 109 5 1 1 


Eliminate blind spots =. 


SecOps teams can generate an automated 
open source Bill of Materials report to 
immediately receive risk and priority scores 
to quickly deal with vulnerabilities and 
license issues. This includes zero-day threats 
detected early in the pipeline stages to 
ensure security awareness. 
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Trusted security 





Collaborate between SecOps and 
DevOps teams and establish best wn . 
practices for open source use and sn Sc 301 
accelerate remediation of cybersecurity boon Co aes 








risks. Use open source vulnerability rato om 
details to correlate with those 
applications live in production. 








Surface hidden license risks: 


Security and Legal teams can benefit by receiving instructions about each license identified in your 
open source components and monitor them all from one place. 





Complement existing services: 


Increase protection across your security stack by including Trend Micro Cloud One” — Container 
Security to gain deeper vulnerability detection at the container image and registry layer. Gain 
Kubernetes admission control and runtime protection and visibility into all applications. 


Trend Micro Cloud One™ — Open Source Security by Snyk 





Trend Micro minimizes complexity by giving you a unified view of security insights, enabling you to 
make data-driven security decisions. Trend Micro Cloud One — Open Source Security by Snyk provides 
rich contextual information about security vulnerabilities found in open source dependencies. This 
enables developer and security operations teams to gain deeper visibility into their code and to 
prioritize issues. 





v Integrate with third-party 
source code repositories 
and CI/CD tools 
e.g., GitLab, GitHub, 


v 
Jenkins Tag projects 


v Scan for open source 
vulnerabilities 
v Apply open source 


inccass via Trond Micto One Group One Organization license policy 


Cloud One 
Trend Micro Cloud One™: 
Cloud Security 
Services Platform 


v Aggregate data at the 
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Using the Snyk vulnerability database 
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e Dependency tree view. Accelerate the triaging 
process with a dependency path analysis. 
Understand the path through which transitive 
vulnerabilities have been introduced. 


e Dependency health. Broaden your security 
coverage by identifying risks associated with 
dependencies inside your open source libraries. 
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e Runtime prioritization. Prioritize your fixes 
based on an analysis of the vulnerabilities 
called at runtime and that bear a higher risk. 


e Exploit maturity. Use indicators to identify 
exploits that attackers can easily weaponize. 


e Accuracy control. Receive high-accuracy 
alerts that are verified and qualified by Snyk’s 
dedicated security research team. 
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How to Get Started 


Trend Micro Cloud One — Open Source Security by Snyk “integration” is a pre-existing 
implementation that can connect to various tools based on your configuration (like source control 
or container registries) to discover your application. To set up an integration, administrators 
configure one or more of the tiles in the UI “integrations” tab. Configuration occurs on each tile 
and requires credentials or an API key. Each integration can contain additional configuration 
settings specific to the integration. 


After setup, each integration will provide users the ability to import projects. 
(See below for import instructions) 


Trend Micro Cloud One — Open Source Security by Snyk supports integration with Git-based 
solutions like GitHub, and GitLab, as well as integrations such as Azure Repos, Jenkins, AWS 
Lambda, Artifactory, Bitbucket, GoLand, and more. 





In Trend Micro Cloud One — Open 

Source Security by Snyk, information =a cee 
is organized based on projects. A ea © © 
project represents a list of issues gis soe i 
which includes both vulnerabilities 

and license compliance issues. Issues ey Saal 
are determined by analyzing the 

package manager of your application 

and reviewing the direct and indirect 

dependencies. When developers 

create an application, they list the 

direct dependencies needed, which 

have their own dependencies called 

“indirect dependencies”. (See direct 

and indirect dependencies in the 

“Dependency Tree View” section). 


>>> Back to TOP 


Importing projects can be completed using | sing 
various methods. The two most common 
are Trend Micro Cloud One — Open Source 
Security by Snyk UI or the CLI. Use the 
Trend Micro Cloud One — Open Source 
Security by Snyk UI to import projects by 
selecting the integration from the list. (See 











below for an example using GitHub). 
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To learn more about how to deploy or analyze 


Trend Micro Cloud One — Open Source Security by Snyk visit 
the Trend Micro Cloud One Documentation. 
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Trend Micro Cloud One — Open Source Security by Snyk is powered by the leading vulnerability 
database, providing comprehensive and actionable open source vulnerability intelligence. 


e Dedicated team of security experts. The Snyk e Best coverage in the market. Snyk has regularly 
Vulnerability Database is managed by experts, outperformed other vendors in head-to-head 
researchers, and analysts. This team ensuring evaluations against other vulnerability 
the database maintains a high level of accuracy identification vendors. 


with a low false-positive rate. 
e First to know and publish. Snyk exposes many 


Curated, enriched, and actionable content. vulnerabilities before they are added to public 
The team enriches the data describing each databases. On average: 

vulnerability with hand-curated content and 
summaries, including code snippets where 
applicable. All items in the database are 
analyzed and tested for their accuracy (for e Discovers 370% more vulnerabilities 
example; version ranges, vulnerable method). 
A CVSS score and vector is assigned to 100% of 
vulnerabilities. 


e 


e Snyk publishes vulnerabilities 92 days 
sooner than NPM Audit 


e Identifies vulnerabilities 25 days faster 


e 92% of the JavaScript vulnerabilities in 
NVD were added first to the Snyk database 


e 


Beyond CVE/NVD. The Snyk Vulnerability 
Database expands far beyond CVE 
vulnerabilities and includes many additional 
non-CVE vulnerabilities that are derived from 
additional sources. 
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Why Trend Micro Cloud One — 
Open Source Security by Snyk 





As part of the Trend Micro Cloud One” SaaS security platform, Trend Micro Cloud One — 
Open Source Security by Snyk provides visibility and tracking of vulnerabilities and license 
issues of open source dependencies. With this advanced service, Security Operations 
teams are able to gain awareness of open source vulnerabilities and license risks in their 
applications for better risk management. 


Trend Micro Cloud One gives you complete security and insight into the protection of 
your applications. Your team is provided with a view into the prioritizations of the risks 
and threats that can impact your runtime security. Trend Micro Cloud One — Open Source Go 
Security by Snyk enables you to dive deeper into your application security threats with 

visibility into the dependency paths and transitive vulnerabilities. 


threats earlier. Security teams are connected with development teams to create a com 
tool that can drive risk management and help mitigate open source security bugs within o 
¢ 
P 


Trend Micro provides security teams with visibility sooner in their build cycles to reduce O 


your application code base. S 
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Securing Your 
Connected World 
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